Re: Patches to cryptomount (plain support, keyfiles and LUKS detached headers)

[John Lane]

I did some work a while ago to update the crypto routines to support LUKS detached headers.
I've been busy on other things but just found some time to update to the current master head.

On 22/01/15 21:04, Vladimir 'φ-coder/phcoder' Serbinenko wrote:

On 15.12.2014 12:30, John Lane wrote:

Hello, I've been working over the past couple of weeks on adding some
functionality to the "cryptomount" command to support plain-mode
dm-crypt, keyfiles and LUKS detached headers. I've put my work on GitHub
and written a few notes on http://grub.johnlane.ie, along with my
patches. I believe this is the right list to post this kind of thing on.

Sorry, we cannot accept patches which aren't sent to this ml by author.

I've attached the patches here. They apply clean to c945ca75.

I'm not sure that all features are good. For starters plain mode is just
difficult to setup and use. Please provide usecases not already covered
by current features.

My target was to establish LUKS volumes with detached headers and key files and this is not already covered by current features.

My specific use-case is booting secured systems where the boot environment (Grub, LUKS headers and keys) is contained on removable media such as a USB key. The non-removable hard-drive has no boot code on it; it just appears as an unformatted disk unless the removable key is used.

To support this, it was necessary to add support to Grub for detached LUKS headers and keys.

I am aware of a number of other people enquiring about this specific functionality so I am not alone in thinking it's a valid use-case.

Regarding plain mode,  I don't understand why plain mode is "difficult to setup and use". I did the work on plain mode at the same time because one of the disks that I needed to work with was a plain mode disk. I asked about the existing but non-functioning "peter/devmapper" branch and spent some time trying to get that to work. In the end, and as I understand how LUKS uses dm-crypt, it seemed better to re-use the existing code base in the cryptodisk routines because this is more current, used and tested. By doing that I was able to get it to work very quickly.

I've been using my changes in daily use since my original postings last December. I've just updated to the latest head and the patches still merge cleanly.

I'd appreciate it if these changes could be considered. If any more information would be useful please let me know.

I can explain in detail what I did if there's interest in what I've
done. I haven't added much code -  I mostly made use of what was already
there, using it in different ways to support some additional use-cases
that I needed.

Best,
John Lane






_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel

_______________________________________________
Grub-devel mailing list
address@hidden
https://lists.gnu.org/mailman/listinfo/grub-devel

0001-Cryptomount-support-for-hyphens-in-UUID.patch
Description: Text Data

0002-Cryptomount-support-LUKS-detached-header.patch
Description: Text Data

0003-Cryptomount-support-plain-dm-crypt-and-key-files.patch
Description: Text Data

signature.asc
Description: OpenPGP digital signature